How Anonymous plans to use DNS as a weapon

An Anonymous threat to take down the global Domain Name Service may have been …

After engaging in a recent rash of attacks in retaliation for the takedown of file-sharing site Megaupload, the Anonymous denial of service "cannons" have been firing considerably fewer shells of late.

While Anonymous group members managed to take down Interpol's website on February 28 (largely by using a Web version of their "Low Orbit Ion Cannon" denial of service tool) and have defaced a number of vulnerable sites (including, most recently, sites belonging to Panda Security), threats to take down bigger targets have failed to materialize. What some believed to be the group's boldest plan yet—an effort to bring down the Internet's entire Domain Name System (DNS)—is now being called a "troll" by members of the group.

But this doesn't mean the threat of more targeted denial of service attacks based on DNS attacks have gone away. Disappointed with the current denial of service tools at their disposal, members of Anonymous are working to develop a next-generation attack tool that will, among other options, use DNS itself as a weapon.

An amplifier

The scale and stealthiness of the technique, called DNS amplification, is its main draw for Anonymous. DNS amplification hijacks an integral part of the Internet’s global address book, turning a relatively small stream of requests from attacking machines into a torrent of data sent to the target machines, potentially delivering network traffic of tens or hundreds of gigabytes per second without revealing the source of the attack. It does so by using a vulnerability in the DNS service that's been known since at least 2002.

The DNS system is organized hierarchically. At the top of the hierarchy are the "root" nameservers. These contain information on where to find the nameservers responsible for the next level down in the hierarchy, the nameservers for things like ".com" and ".org" and ".uk." In turn, those nameservers contain information about the next level of the hierarchy, so the ".com" nameserver provides information on where to find the "arstechnica" nameserver. The "arstechnica" nameserver is then able to provide the actual mapping from a descriptive name to a numerical IP address.

Doing a DNS lookup requires accessing all these different levels of the hierarchy. There are two ways that a DNS resolver (the piece of software that looks up DNS entries, which can either be a standalone thing on a client machine, or a part of a DNS server) can work: an iterative mode and a recursive mode. In the iterative mode, the resolver first queries the root nameservers for the top-level domain's nameservers, then queries the top-level domain's nameservers for the second level domain's nameservers, and so on and so forth. The resolver contacts the different nameservers directly, one by one, until it has either found the answer it needs or given up because the answer doesn't exist.

In recursive mode, the resolver's job is much simpler: it asks one DNS server for the whole name, then leaves it to the server to perform all the necessary requests (either recursive or iterative) on its behalf.

How DNS recursion is supposed to work, in three easy steps.

Sean Gallagher

There is also extensive caching by all the servers involved; many requests are serviced by using information stores in the cache rather than having to query other servers each time a machine wants to know how to find "google.com," for instance.

Typically, the DNS resolvers built into client operating systems ask nameservers (usually the ones provided by ISPs) to perform recursive queries on their behalf. The lookups then performed by these servers to fulfill the requests are typically iterative.

Here's where the problem arises. The response to a DNS query can be considerably larger than the query itself. In the best (or worst) case, a query of just a few dozen bytes can ask for every name within a domain and receive hundreds or thousands of bytes in response. Every request sent to a DNS server has a source address—an IP address to which the reply should be sent—but these source addresses can be spoofed. That is, a request can be sent from one IP address but the DNS server will think it was sent by a different address.

Using these two things—recursive lookups that return large amounts of data to small queries, and spoofed source addresses—attacks can be made. The attacker first finds a server that is configured to enable recursive lookups. He then sends a large number of requests to the server, spoofing the source address so that the server thinks that the victim machine is making the request. Each of these requests is chosen so that it generates a large response, much larger than the queries themselves. The server will then send these large responses to the victim machine, inundating it with traffic. The disparity between the request size and the response is why these attacks are known as "amplification" attacks.

An attacker's benefits

A paper (PDF) presented at the 2006 DefCon security conference by Baylor University's Randal Vaughan and Israeli security consultant Gadi Evron documented a series of DNS amplification attacks in late 2005 and early 2006—including one on Internet service provider Sharktech that achieved volumes of packets "as high as 10Gbps and used as many as 140,000 exploited name servers." Depending on the number and network capacity of servers targeted, it’s reasonable to assume a coordinated attack by Anonymous could generate several times that volume.

As Vaughan and Evron wrote, "A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes, amplifying the response packet by a factor of 60."

In a variant of the attack described by SecureWorks' Don Jackson, the query simply asks the server for a "root hint": the addresses of the name servers for the "." domain, the home of the Internet's root DNS servers. Because there are a large number of root name servers, and because the implementation of DNS-SEC has added certificate data to root server responses, the data returned for each request is about 20 times larger than the query packet.

A comparison of the payloads of a DNS "root hint" query and its response. Not all data shown.

Sean Gallagher

Since it’s possible to hide the source of an attack with UDP through forged headers, and because it requires relatively little bandwidth from the attack side, DNS amplification has some obvious benefits to groups like Anonymous. While attackers can't use the Tor anonymizing network (Tor doesn't transfer UDP traffic), they can use various VPNs to add another layer of security.

Aside from the mass of data a DNS amplification attack can create, an attacker gets other benefits from the technique. DNS amplification relies on UDP, a "connectionless" protocol under which packets get sent to a destination without any sort of "handshake" or even a guarantee it will be received. Because there's no sort of negotiation (and because DNS data isn't something usually filtered by application firewalls or other systems), this isn't a simple attack to prevent.

There are times I seriously wonder how closely Ars and the Anons are related...

Are you implying that they know so much that one must be involved in the other? If so, it's an incredibly subtle way of questioning the intents of everyone that ever did some research into the things that go on in the world. Some people are just interested, and like to read this.

There are times I seriously wonder how closely Ars and the Anons are related...

Are you implying that they know so much that one must be involved in the other? If so, it's an incredibly subtle way of questioning the intents of everyone that ever did some research into the things that go on in the world. Some people are just interested, and like to read this.

It's almost as if you mean trying to understand things is bad.

Listen, it's very simple. Innocent people do nothing to protect themselves. They simply sit there waiting to be victimized. Doing otherwise makes clear that they lack sufficient faith in the status quo.

In reality, if they ever want to be considered a real force to be reckoned with, they do need something even people who aren't exceptionally technical can use. Without that, they fail to capitalize on many would-be supporters. I do question the config file concept, though, as it leaves suspicion on the table.

Still, though an "AOL for Activism" tool would be exceptionally useful, time waits for none.

There are times I seriously wonder how closely Ars and the Anons are related...

Are you implying that they know so much that one must be involved in the other? If so, it's an incredibly subtle way of questioning the intents of everyone that ever did some research into the things that go on in the world. Some people are just interested, and like to read this.

It's almost as if you mean trying to understand things is bad.

Listen, it's very simple. Innocent people do nothing to protect themselves. They simply sit there waiting to be victimized. Doing otherwise makes clear that they lack sufficient faith in the status quo.

Or did I just strike a nerve? Maybe it wasn't a joke after all............................DUM DUM DUUUUM

For the record, I love the in depth stories Ars has been posting about anonymous and the bunch. Its one of the best examples of proper journalism I have seen. They actually do full research and go right to the primary sources for info.

I think Anonymous may find that they yanked the tail of the tiger if they "succeed" with this form of attack. Getting even close to a credible attempt at taking down major root servers will bring attention from some quite serious people - it will be interesting to see how the current crop of hacking court cases play out.

Vandalizing the net for reasons of political activism is - sometimes - within the realm of discussion (I personally wouldn't cry too much if sites belonging to the Syrian government went down, but it is still NOT the right thing to do; we're supposed to have accountable governments to make such decisions). Taking down root servers for fun or simply to be obnoxious is unacceptable.

It's also ironic that they would be attacking the very network that gives them any reach in the first place. Imagine the influence and attention these people would have had in pre-internet days... right: none.

Heh. Now they think they're l0pht. Of course, when l0pht said they could take down the Internet, they were probably right because at that time, the infrastructure was very weak. But whatever. I'm sure they'll try just like they tried with amazon, much to the same effect.

DDoS attacks are annoying but a couple of days later people will have forgotten about them. DDoS on sites that people actually want to visit, like PSN or Facebook, are even counter-productive. The one exception is perhaps government infrastructure in dictatorships (but to do so without interfering with e.g. TOR traffic in those countries).

Obvious site-defacements usually show the admins aren't up to the latest patch levels, and -generally speaking- don't last long. Subtle defacements (e.g. unobtrusively adding links to postings/sites critical of the 'victim') might get no attention at all.

So the question is: what CAN Anonymous do to bring to light that which they don't forget and forgive, preferably in a legal way?

Heh. Now they think they're l0pht. Of course, when l0pht said they could take down the Internet, they were probably right because at that time, the infrastructure was very weak. But whatever. I'm sure they'll try just like they tried with amazon, much to the same effect.

I think they are trying to crowdsource their blackhattery, instead of relying on a small, infiltratable group. Antisec sent the Norton 2006 source code into the wind about an hour ago. Between magnet links on the Pirate Bay and the now-established connection between Anonymous and Wikileaks, the whole landscape of infosec could be changing.

They don't have to find recursive servers. They just need to spend spoofed request to servers running cPanel (and other control panels that have built-in DNS servers) for records of their own domains. Lots more targets this way.

That being said, UDP DDoS are nothing new and are easily dealt with since MOST of the traffic that goes to a web server is TCP. A datacenter need only drop UDP to the target IP at their border to mitigate the DDoS. Usually, the DNS requests from a server in a datacenter go to local DNS recursive resolvers so this would not impact anything. Attacking UDP based services like SIP or other DNS serves would be more effective but not as useful politically.

So I'm a little confused here, now I know most DNS requests are UDP but any requests over 512 bytes are meant to be carried out over TCP and thus the maximum amount of data you could send to someone without them knowing would be 512 bytes any more than that and you would need to do a TCP negotiation first.I guess you are getting amplification of 8.5 times on a 60 byte request but it seems a bit average.

Recently, there was a series of attacks against Garry's Mod servers which used a similar exploit to this only instead of bouncing off DNS servers it would use a bug in the Call of Duty 4 dedicated server status querying system. Kind of sad to see that these kinds of bugs still exist in 2012.

Considering how easy it was for the Feds to catch some of these nerds. I suspect their heads are bigger then their talents. Its like the small time criminal who robs gas stations. But let em try and rob a bank and he will get caught. Technology and knowledge is not just on the side of Anonymous.

So Ars posts a 2 page article titled "How Anonymous Plans To Use DNS As A Weapon" and the article's last paragraph starts with "For now, this tool remains just a concept. As of mid-February, members of Anonymous hadn't begun to actually write code for it."

So I'm a little confused here, now I know most DNS requests are UDP but any requests over 512 bytes are meant to be carried out over TCP and thus the maximum amount of data you could send to someone without them knowing would be 512 bytes any more than that and you would need to do a TCP negotiation first.I guess you are getting amplification of 8.5 times on a 60 byte request but it seems a bit average.

You can send UDP packets whose size is larger than the MTU (maximum transmission unit) of the link, they will just get fragmented and reassembled by the IP layer. If you are trying to send data efficiently/reliably then this may be a bad idea, since the loss of a single fragment will result in the loss of the entire packet, so the increased performance you get from fewer headers will be lost due to an increased number of retransmissions. But if you just want to pummel someone with data, that doesn't matter so much. Also the MTU of most real-world networks is between 576 and 1500 bytes, so you can get bigger than 512 without having to worry about fragmenting.

So Ars posts a 2 page article titled "How Anonymous Plans To Use DNS As A Weapon" and the article's last paragraph starts with "For now, this tool remains just a concept. As of mid-February, members of Anonymous hadn't begun to actually write code for it."

the attack was said to target the entire DNS infrastructure, bringing the 'Net to its knees.

Again I question the difference between Anon and a terrorist organization in terms of tactics. How is this a protest or a method of trying to bring down corruption, vs the cyber equivalent of blowing up a bomb in the middle of a city? Go ahead Anon....DO IT. Guess how many people will be on your side if you take down DNS.

So Ars posts a 2 page article titled "How Anonymous Plans To Use DNS As A Weapon" and the article's last paragraph starts with "For now, this tool remains just a concept. As of mid-February, members of Anonymous hadn't begun to actually write code for it."

So Ars posts a 2 page article titled "How Anonymous Plans To Use DNS As A Weapon" and the article's last paragraph starts with "For now, this tool remains just a concept. As of mid-February, members of Anonymous hadn't begun to actually write code for it."

Transmitting packets with spoofed IPs across the Internet can be even more annoying than the article says.

For lots of consumer grade routers, there's no way to sent a packet without having the router NATing the source address to the router's public address. So, you need to get it out of the way.

And many routers out there in ISPs and data centers have reverse path filters, so you can only send packets with source addresses in the same subnet as you are.It's unlikely that you'll be able to send a packet with a spoofed address belonging to a target in the other side of the world.

So, while the technique is feasible, it's requires some commitment and still holds some risk.

Transmitting packets with spoofed IPs across the Internet can be even more annoying than the article says.

For lots of consumer grade routers, there's no way to sent a packet without having the router NATing the source address to the router's public address. So, you need to get it out of the way.

And many routers out there in ISPs and data centers have reverse path filters, so you can only send packets with source addresses in the same subnet as you are.It's unlikely that you'll be able to send a packet with a spoofed address belonging to a target in the other side of the world.

So, while the technique is feasible, it's requires some commitment and still holds some risk.

And this is why many more of anonymous is going to end up in jail. They just keep trying to piss off more and more people. If it were to actually work (which is a huge if) what does this really do for them?

And many routers out there in ISPs and data centers have reverse path filters, so you can only send packets with source addresses in the same subnet as you are.It's unlikely that you'll be able to send a packet with a spoofed address belonging to a target in the other side of the world.

So, while the technique is feasible, it's requires some commitment and still holds some risk.

Reverse path filtering checks for two things:1. To see if the device has a path back to the source address AND...2. That the interface the packet came in on is the best one for the packet to have arrived on

If those two conditions aren't met then the packet will be dropped.

In the case of a packet going *in* to a network through a device connected to the Internet, reverse path filtering will not help because the device will always have a 0.0.0.0 route pointing back out to the Internet. In other words, I can DoS you all day long across the Internet with spoofed packets with a source IP of, say, Google, because your router will recognize that it has a 0.0.0.0 route from itself right back to Google (there are exceptions of course with multi-homed routers and more complex networks, but you get the gist).

Reverse path filtering is very useful for stopping people from sending packets with spoofed internal IPs into your network from the outside (I.e., the WAN interface of a router or firewall should never receive a packet from an IP in the private range). It's also useful for keeping people from sending spoofed packets from inside your network to the outside world (the LAN interface of a router or firewall should never receive a packet with a source IP of, say, Google--again, there are exceptions depending on the complexity of the network and what it's doing (corporation, home user, ISP, etc)).

The best defense against IP spoofing is for providers to use egress filtering (in which they don't allow a packet out unless the source IP is a legitimate IP inside the network). Unfortunately most providers don't do this.

Transmitting packets with spoofed IPs across the Internet can be even more annoying than the article says.

For lots of consumer grade routers, there's no way to sent a packet without having the router NATing the source address to the router's public address. So, you need to get it out of the way.

And many routers out there in ISPs and data centers have reverse path filters, so you can only send packets with source addresses in the same subnet as you are.It's unlikely that you'll be able to send a packet with a spoofed address belonging to a target in the other side of the world.

So, while the technique is feasible, it's requires some commitment and still holds some risk.

And this is why many more of anonymous is going to end up in jail. They just keep trying to piss off more and more people. If it were to actually work (which is a huge if) what does this really do for them?

Well, it did look like a bunch of people immediately claimed troll. Anon's greatest weakness is their lack of a central authority, so there are random attacks on toilet paper manufacturers, harassment of random girls, etc. With such broad following, and with little discussion over aims and methodology, "for teh lulz" means different things to different people. As such, if an attack on DNS were to occur, there would be a sudden internal debate over whether or not the internet should be shut off...I tend to think that the overwhelming majority of people with LOIC installed need new pr0n too much to have an synchronized attack on the DNS servers for longer than about an hour. There isn't any since of unified message being pushed here, if there was, Anon wouldn't be a nuisance, they would be terrorists.

I think an organization with the same amount of followers and technical experience as Anon could pull something like this off. It's worrisome that some smaller governments, and even larger nationalist groups, have the capacity to have a semi-credible threat against one of the most massive aspects of our economy.

Anon's gravest threat will emerge as they are hunted down: if they band together as a cohesive group, determine why they are still involved with something that potentially gives them jailtime, and find inspiration in this. Right now they are an amusement.

I like ars a lot. It's the first blog I check every day. I have to say that I'm a bit disappointed in this article though.

First of all, recursive queries are not a "vulnerability" in DNS. It's designed that way. The fact that it's turned on by default, that most administrators don't turn it off even when it's not needed, and that most administrators don't harden their servers with ACLs are all major problems, but they're human errors not vulnerabilities.

Second, what proof is there that Anonymous is planning on moving towards amplification attacks? If it's an anonymous (pun intended) source then it should be stated in the article, even though the name has to be withheld. Right now it looks like the article is pure speculation based mostly on A) a tool that was talked about but Anonymous has no plans to develop, and B) a hoax saying Anonymous was going to take down the DNS root servers on March. 31st, which they've publicly denied with the claim that they'll never attack communications.

At most, the attack would affect the networks of the DNS servers being used to launch the attack and the networks they reside upon.

Really insightful comment. If you agree then comment why. No offense intended.

hah none taken. i said meh because this was the first thing i thought as well. if said attack worked, you're removing the closest link in the chain to the rest of the DNS/internet. you can't climb up a ladder if you remove the first couple rungs.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.